Thanks for the quick answer Rob. Also - My website is servicing users spread among 60-ish CA's.
Do I understand this correctly to mean that if I load the CRL's into the NSS db nightly, my website will always do a revocation check against the CRL in the NSS DB, and only go to OCSP if the CRL is missing? What is the expected behavior if the CRL exists in the NSS DB but is stale? mod_revocator - I looked at that but decided to write a Perl program to gather all of the CRL's nightly and load them into the NSS DB. This is because I had to do that anyway because of our disconnected dev/test networks. Thank you for your attention, -Albert Smith Infrastructure Team OUSD(AT&L) eBusiness Center 703 571-3015 -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: Thursday, July 28, 2016 10:00 AM To: Smith, Albert L CTR OSD OUSD ATL (US); [email protected] Subject: [Non-DoD Source] Re: [Mod_nss-list] Revoc check via CRL and OCSP Smith, Albert L CTR OSD OUSD ATL (US) wrote: > Hello, > > I'm running RHEL6 with "httpd-2.2.15-53" and "mod_nss-1.0.10-6". > > My webserver is currently configured to do revocation checking vi OCSP and is > working fine, except when we encounter failures with the OCSP service > provider. > > I would like to configure my webserver to check OCSP first, and in the > case of a failure, use CRL files (either local files on disk or CRL > files loaded into the NSS database) as a secondary. (If OCSP then CRL > isn't possible, is CRL then OCSP possible?) > > Is this possible, and if it is what are the relevant NSS directives to set? NSS will check a CRL automatically if one has been loaded (see crlutil). It does this before doing an OCSP check. The behavior you're seeing won't really change though. If the OCSP check cannot be made then the request will fail. There is no configuration setting to tune that. For automated CRL handling you might want to look at mod_revocator, another Apache module. This will retrieve and load updated CRLs without requiring a restart of Apache. rob
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
